Sync Kapefiles (#3160)

Velocidex · Dec 12, 2023 · badd34f · badd34f
1 parent 21b841d
commit badd34f
Show file tree

Hide file tree

Showing 10 changed files with 714 additions and 674 deletions.
diff --git a/accessors/s3/session.go b/accessors/s3/session.go
@@ -8,20 +8,20 @@ import (
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/session"
+	"www.velocidex.com/golang/velociraptor/constants"
 	vql_subsystem "www.velocidex.com/golang/velociraptor/vql"
 	"www.velocidex.com/golang/velociraptor/vql/networking"
 	"www.velocidex.com/golang/vfilter"
 )
 
 const (
-	S3_CREDENTIALS = "S3_CREDENTIALS"
-	S3_TAG         = "_S3_TAG"
+	S3_TAG = "_S3_TAG"
 )
 
 func GetS3Session(scope vfilter.Scope) (*session.Session, error) {
 	// Empty credentials are OK - they just mean to get creds from the
 	// process env
-	setting, pres := scope.Resolve(S3_CREDENTIALS)
+	setting, pres := scope.Resolve(constants.S3_CREDENTIALS)
 	if !pres {
 		setting = ordereddict.NewDict()
 	}

diff --git a/accessors/smb/cache.go b/accessors/smb/cache.go
@@ -13,6 +13,7 @@ import (
 	"github.com/hirochachacha/go-smb2"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
+	"www.velocidex.com/golang/velociraptor/constants"
 	vql_subsystem "www.velocidex.com/golang/velociraptor/vql"
 	"www.velocidex.com/golang/vfilter"
 )
@@ -179,7 +180,7 @@ func getCreadentials(
 	ctx context.Context, scope vfilter.Scope, hostname string) (
 	*smb2.NTLMInitiator, error) {
 
-	credentials, pres := scope.Resolve("SMB_CREDENTIALS")
+	credentials, pres := scope.Resolve(constants.SMB_CREDENTIALS)
 	if !pres {
 		return nil, errors.New("No credentials provided for smb connections")
 	}

diff --git a/accessors/ssh/session.go b/accessors/ssh/session.go
@@ -5,18 +5,15 @@ import (
 	"fmt"
 
 	"golang.org/x/crypto/ssh"
+	"www.velocidex.com/golang/velociraptor/constants"
 	vql_subsystem "www.velocidex.com/golang/velociraptor/vql"
 	"www.velocidex.com/golang/vfilter"
 )
 
-const (
-	SSH_CONFIG = "SSH_CONFIG"
-)
-
 func GetSSHClient(scope vfilter.Scope) (*ssh.Client, func() error, error) {
 	// Empty credentials are OK - they just mean to get creds from the
 	// process env
-	setting, pres := scope.Resolve(SSH_CONFIG)
+	setting, pres := scope.Resolve(constants.SSH_CONFIG)
 	if !pres {
 		return nil, nil, errors.New("Configure the 'ssh' accessor using 'LET SSH_CONFIG <= dict(...)'")
 	}

diff --git a/artifacts/definitions/Linux/KapeFiles/CollectFromDirectory.yaml b/artifacts/definitions/Linux/KapeFiles/CollectFromDirectory.yaml
diff --git a/artifacts/definitions/Windows/KapeFiles/Targets.yaml b/artifacts/definitions/Windows/KapeFiles/Targets.yaml
diff --git a/artifacts/definitions/Windows/Search/FileFinder.yaml b/artifacts/definitions/Windows/Search/FileFinder.yaml
@@ -54,6 +54,7 @@ parameters:
       - registry
       - file
       - ntfs
+      - ntfs_vss
 
   - name: YaraRule
     type: yara
@@ -76,6 +77,11 @@ parameters:
     default: ""
     type: timestamp
 
+  - name: VSS_MAX_AGE_DAYS
+    type: int
+    description: |
+      If larger than 0 we restrict VSS age to this many days
+      ago. Otherwise we find all VSS.
 
 sources:
   - query: |

diff --git a/bin/artifacts.go b/bin/artifacts.go
@@ -260,11 +260,10 @@ func doArtifactCollect() error {
 	}
 
 	query := `
-  SELECT * FROM collect(artifacts=Artifacts, output=Output, report=Report,
-                        level=Level, template=Template,
-                        timeout=Timeout, progress_timeout=ProgressTimeout,
-                        cpu_limit=CpuLimit,
-                        password=Password, args=Args, format=Format)`
+  SELECT * FROM collect(
+     artifacts=Artifacts, output=Output,
+     level=Level, timeout=Timeout, progress_timeout=ProgressTimeout,
+     cpu_limit=CpuLimit, password=Password, args=Args, format=Format)`
 	err = eval_local_query(
 		sm.Ctx, config_obj,
 		*artifact_command_collect_format, query, scope)

diff --git a/constants/constants.go b/constants/constants.go
@@ -90,6 +90,15 @@ const (
 	USN_FREQUENCY       = "USN_FREQUENCY"
 	ZIP_FILE_CACHE_SIZE = "ZIP_FILE_CACHE_SIZE"
 
+	// Used by the SSH accessor to configure access
+	SSH_CONFIG = "SSH_CONFIG"
+
+	// Used by the SMB accessor to configure credentials.
+	SMB_CREDENTIALS = "SMB_CREDENTIALS"
+
+	// Used by the S3 accessor to configure credentials.
+	S3_CREDENTIALS = "S3_CREDENTIALS"
+
 	// VQL tries to balance memory/cpu tradeoffs and also place limits
 	// on memory use. These parameters control this behavior. You can
 	// set them in the VQL environment to influence how the engine

diff --git a/gui/velociraptor/package.json b/gui/velociraptor/package.json
@@ -13,7 +13,6 @@
         "@fortawesome/react-fontawesome": "0.2.0",
         "@popperjs/core": "^2.11.8",
         "axios": ">=1.6.2",
-        "axios": ">=1.6.1",
         "ace-builds": "1.31.2",
         "axios-retry": "3.9.0",
         "bootstrap": "^4.6.2",

diff --git a/services/repository/repository.go b/services/repository/repository.go
@@ -484,6 +484,8 @@ func (self *Repository) List(ctx context.Context,
 		}
 	}
 
+	sort.Strings(results)
+
 	return results, nil
 }
 
@@ -492,7 +494,6 @@ func (self *Repository) list() []string {
 	for k := range self.Data {
 		result = append(result, k)
 	}
-	sort.Strings(result)
 	return result
 }